Spamtrackers.org

How to get help if your identity was used to register a spamvertised website

About us

Home

News Blog and Archives:

December 2009

Malware writers vying to violate virgin computers

Fake security scan scamming Skype users

Google scammers take aim at Barack Obama

November 2009

Favicons and fake-icons

Spamit Must Fall

Spamming universities

June 2009

China and Internet Crime

Phishing question

May 2009

"I am stuck somewhere in Atlanta, Georgia"

Choosing a strong password

Email helpdesk spoof

April 2009

Swine flu and spam

Puppy adoption scam email

Open letter to the new chairman of the US Federal Trade Commission

Waledac's "dirty bomb" will make a mess of your computer

USAA phish

March 2009

What is SiteAdvisor good for?

419 Spammers scraping bottom?

Why is Microsoft helping spammers promote software piracy?

Waledac abandons love for money in a shaky economy

Where can I find free software?
Spywarehammer.com's free security software download page

February 2009

Classmates.com spoof downloads poorly detected malware

Waledac domain update

PayPal phish

Capital One Bank phish

Cookies and spyware scanning

"It's real fine, my 419"

Javeline study on ID theft debunked

CNN reports on illegal pharmacies

Where's Waledac?

"Try Via/Cia for free today"

SiL's Open Letter to Law Enforcement about scam pharma site "Canadian Pharmacy"

The ED Pill Store

January 2009

Shootin' phish in a barrel

Spam humor

Your computer has doors to the outside. Have you left any unlocked?

More on Conficker

Conficker/Downadup/Kido worm

Waledac trojan spoofs Obama campaign site

KSForum is now InboxRevenge.com

Israel/Palestinian conflict news story used as lure for malware download

AV Comparatives Summary Report for 2008

More reviews of 2008

 

December 2008

SpamIsLame's summary of significant events in 2008

Farewell to Castlecops

 

Resource Links:

European SpamWiki (English)

Hong Kong SpamWiki (Chinese/English; accessible from PRC)

InboxRevenge Forums for fighting spam and internet crime

Complainterator.com

SiteAdvisor

Spammer Economy and Infrastructure

Spywarehammer.com's list of free security software downloads

Avoid having your computer hijacked by spammers

2008 Summary of Spam News

Spamtracker Archives of off-line antispam websites

Bleepingcomputer.com computer tutorials and help forums

Spywarehammer.com: Spyware/virus/malware removal help forums

Cybercrime and Doing Time: Gary Warner's Blog

I Kill Spammers and Spamit Must Fall: SpamisLame's Blogs

SpamInMyInBox: Uffe Jensen's Blog

Security Fix: Brian Kreb's Blog at the Washington Post

Spamnation

BobBear's website tracking money laundering and reshipping fraud schemes

Fight Back Against Spammers and Scammers forum

Spam Hater

The Spam Diaries

Spamhuntress

AllSpammedUp

Tech for Everyone

Security Cadets

CAUCE: Coalition Against Unsolicited Commercial Email

Abuse.net spam news

Spam Resource

Spammers vs. Free Speech

Contact
 

Welcome to Spamtrackers.org! This is a portal to connect you to a variety of online resources in the fight against spamming. But why fight spam?

Spam is about a lot more than unwanted junk email. And it's about more than just stolen bandwidth or people making you pay to receive their advertising.

Spam now makes up over 90% of the email being sent. Spammers mail to people who don't want to receive their messages. And they have to get past filtering by ISP's whose subscribers complain bitterly about receiving large volumes of unwanted email, often with content and images they find offensive.

If you did that, your ISP would maybe warn you once, then they'd tell you to find another ISP. And while there are ISP's that will let you send your spam if you paid them handsomely enough, it's easy enough for spam filtering software programmers to learn which ISP's those are and to block everything coming from their IP address ranges.

So how do spammers get away with it? Most are engaged in criminal activity. They hijack other people's computers to allow them to send their emails or to host the websites their spam advertises. And just to make sure those hijacked hosts are not thrown off the network by their ISP's, they hijack a LOT of people's computers so they can spread the usage around enough to avoid notice. That means they have to create and propagate malware (computer viruses, etc.) to allow them to take over other people's computers. And since their activity is illegal, they have to use fake names to register their domains, and they have to pay for it with stolen credit/debit cards or Paypal accounts.

Spammers just keep getting deeper and deeper in illegal activity in order to keep ahead of all the people who just want to be left alone. And it's ordinary people who are the victims of those crimes. In fact, you may have been sent here for more information because you were warned that your computer was being used by spammers or because your identity and credit card number were stolen.

The links on the left will connect you to some valuable resources in protecting yourself. Becoming educated about criminals is one of the most effective forms of defense. But first and foremost, NEVER buy anything advertised in spam. You don't want to encourage illegal activity, and you definitely don't want people like that to have access to your credit card number!

 

News:

December 25, 2009
Malware writers vying to violate virgin computers

"Look, Igor! Fresh meat!"

Yes, it's that time of year when millions of new computers come out of the box and onto the internet. And what will the proud owners do first -- update the trial antivirus software, or check their email?

I know which way the scammers think things will go, because they've spent Christmas eve bombarding inboxes with new malware and phishing spams. Here are some examples. Avoid all of them -- some of these links were still alive at the time of posting here:

Subject: Facebook update tool

facebookDear Facebook user,
In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security.
Before you are able to use the new login system, you will be required to update your account.
Click here [links to http://www.facebook.com.itfhtl1ii.com.pl/usersdirectory/LoginFacebook.php?ref=long string of code] to update your account online now.

If you have any questions, reference our New User Guide.Thanks,
The Facebook TeamUpdate your Facebook account

Update
This message was intended for [you]@[yourISP.com].
Facebook's offices are located at 1601 S. California Ave., Palo Alto, CA 94304.

 

Subject: DHL Customer Services. Please get your parcel NR.5789

Hello!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.


Please do not reply to this e-mail, it is an unmonitored mailbox!


Thank you,
DHL Services.

[attachment "DHL_Print_label_76434.zip" is malware]

 

Subject: You have some wrong items in your Credit Report.

You have some wrong items in your Credit Report. You need to download your credit history file from Federal Credit Bureau website and carefully review it. Use your personal hyperlink. [links to http://session-5766072233698.fcb.org.icuf1itll.be/scorepages/h-files/assistant.php?session=long code number]================================================================Federal Credit Bureau

 

Subject: your VISA card 4XXX XXXX XXXX XXXX: possible fraudulent transaction ID 19469529001

Dear VISA card holder,
A recent review of your transaction history determined that your card was used at an ATM located in Angola, but for security reasons the requested transaction was refused.Please carefully review electronic report for your VISA card at:

http://sessionid-202UOB2CK81RMK.visa.com/cards/alerts/transactions.php?ref=[long code number]
Mess ID: [long code number]

(If you're wondering how they knew your Visa card number starts with 4 -- it's because they all do.)

There's a recent pattern of abuse of Belgium's .be TLD. They don't accept abuse reports. They make you report it to Belgian law enforcement, giving the scammers crucial extra time to infect computers and collect identity data before their domains are taken off line.

Checking via nameservers (and how obvious is a nameserver called, "ns1.misusefine.com?") shows lots of other domain names that are used interchangeably in these URLs. Assume there will be a continuous flow of more as these are shut down:

tpotpdd1.be
progh1.be
dirdlpro1.be
progh2.be
dirdlpro2.be
dirdlpr3.be
tpotpdd.be
ittfljd.be
ittfldi.be
ittfdji.be
ittdlji.be
itdflji.be
ydtflji.be
dttflji.be
ittflji.be
xttflji.be
ixtflji.be
itxflji.be
ityxlji.be
ittfxji.be
ittflxi.be
icpf1itll.be
ictf1itll.be
pctf1itll.be
uctf1itll.be
iptf1itll.be
iutf1itll.be
icuf1itll.be
ictp1itll.be
ictu1itll.be
ictfpitll.be
ictfuitll.be
ictf1utll.be
ictf1iull.be
ictf1itul.be
vdfproo.be
dirdlpro.be
promoderp.be
vstdrerr.be
ictf1itlu.be
ittfljx.be
tiftijli1.co.uk
dirtotp1.co.uk
dirtotp2.co.uk
dirtotp3.co.uk
tiftijl1i.co.uk
tiftij1ii.co.uk
tifti1lii.co.uk
tift0jlii.co.uk
tift1jlii.co.uk
tif0ijlii.co.uk
tif1ijlii.co.uk
ti0tijlii.co.uk
ti1tijlii.co.uk
t0ftijlii.co.uk
t1ftijlii.co.uk
0iftijlii.co.uk
1iftijlii.co.uk
tiftijlii.co.uk
vdfproo.co.uk
itfhtlli1.com.pl
itfhtll1i.com.pl
itfhtl1ii.com.pl
itfht1lii.com.pl
itfh1llii.com.pl
1nagaf11.com
inagaf11.com
kjifatila.com
mjifatila.com
ujifatila.com
wjifatila.com
muifatila.com
mwifatila.com
mjufatila.com
mjwfatila.com
mjiuatila.com
mjiwatila.com
mjifwtila.com
mjifawila.com
mjifatwla.com
mjifatiwa.com
misusefine.com
inagaf1i.com
inagafti.com
igasafti.com
imasafti.com
gnasafti.com
ingsafti.com
mjifatilw.com
utfhtlliicom.hn
iufhtlliicom.hn
ituhtlliicom.hn
itfutlliicom.hn
itfhulliicom.hn
1nagaf11.net
inagaf1i.net
inagafti.net
igasafti.net
imasafti.net
gnasafti.net
ingsafti.net
itf1tllii.com.mx
it1htllii.com.mx
i1fhtllii.com.mx
1tfhtllii.com.mx
itfhtllii.com.mx

New computers are fun, but keep your computer as clean as it was out of the box -- update the AV first, and use your head before you click on any links or open any attachments.

 

December 24, 2009
Fake security scan spamming Skype users

If you use Skype and accept messages from people not already on your friends list, you probably get spam messages regularly. This one showed up Dec. 24 from user "update.notice.bop17:"

[1:57:41 PM] update.notice.bop17: URGENT SYSTEM SCAN NOTIFICATION ! PLEASE READ CAREFULLY !!

http://www.updatekt.org/

For the link to become active, please click on 'Add to contacts' skype button or type it in manually into your web browser !

FULL DETAILS OF SCAN RESULT BELOW
****************************************

WINDOWS REQUIRES IMMEDIATE ATTENTION

ATTENTION ! Security Center has detected
malware on your computer !

Affected Software:

Microsoft Windows Vista
Microsoft Windows XP
Microsoft Windows 2000
Microsoft Windows Server 2003

Impact of Vulnerability: Remote Code Execution / Virus Infection /
Unexpected shutdowns

Recommendation: Users running vulnerable version should install a repair utility immediately

Your system IS affected, download the patch from the address below !
Failure to do so may result in severe computer malfunction.

http://www.updatekt.org/

For the link to become active, please click on 'Add to contacts' skype button or type it in manually into your web browser!

If you check out the site, you see an image trying to pretend it is a Windows directory on your computer:

It's especially fun to do that if you don't have Windows, or if you have changed your Windows color scheme to something other than the usual blue theme. (That's a useful way to catch less obvious versions of this trick, by the way.)

It's a common scam. Make the users think their own computers are reporting malware, so they'll be scared enough to download something to fix the problem. Needless to say, anyone who needs to do this to convince you to download their product is not trustworthy. And you should never download anything from someone who isn't trustworthy.

But wait, there's more. It leads you to a checkout page for a product called Repair Registry 2008. (At least Windows Antivirus 2010 keeps updating their name.) They actually want you to pay to have your computer infected with their product. So they can put what is probably malware on your computer, then get your credit card number, too. They're actually using a secure page on a third party payment processing site, secureorderstore.com, which may or may not know what type of spammers they're doing business with. The seals from McAfee and GeoTrust are endorsing the security certificate of the payment site, not the software they're selling.

What kind of malware could you get from people like this? It could be anything. (I'm obviously not going to pay to find out.) Common types are "scareware" (programs that find nonexistent viruses and trojans, then make you pay for removal) and "hostageware" (programs that, once installed on your computer, won't stop creating popups or other annoyances until you pay to get them uninstalled). Others simply claim to be security software, but don't really detect anything worth paying for. That's often apparent when they are installed on Macintosh machines and proceed to find Windows problems that can't actually exist, or because the size of the file is far too small for what they claim to be able to do.

In any case, you don't actually need to know the details. Advertised in spam, using deceptive sales tactics -- run away as fast as you can.

And report the spam, too.

 

December 9, 2009
Google scammers take aim at Barack Obama

Google made news on December 8 by filing a lawsuit against the perpetrators of the "Google Adworks" scam, a heavily spammed series of domains that claim one can make thousands of dollars a month from "working for Google." The whole scheme is explained on Google's blog, with the actual lawsuit here. (It's actually pretty good reading -- they really did some good research, especially considering how clueless Google previously appeared when spammers were registering thousands of Blogger sites to host spam links.)

The spam is still arriving with new links for the same scam, so the perps aren't too deterred. The registrar for the domains, Moniker, has been taking them down quickly when reported.

Birds of a feather flock together, and there are more of the same scam domains sharing the same IP address, 213.163.84.163 (a host called Serverboost in the Netherlands on the larger network AS49544, Interactive3D):

mylocaltimes.org
localtimes2.org
thelocalnews1.org
thetimesjobs.org
mylocaltimes.org

 

However, you also find a set of domains with a different web page:

It's the same scam, different target. This site has nothing to do with Barack Obama's political organization, "Organizing for America." And they don't actually say they do. But they display his logo, the name of the organization, and a quote from him. They don't display any information to explain who "USARelief" is, leaving people to wrongly assume they are part of the same organization. Example domains are

realreliefusa.org
usa-relief.org
usareliefstimulus.org
myusarelief.org
usarelief.org
realreliefusa.com

 

Entering information leads you to

path-2-grants.com

 

The terms and conditions page hasn't been uploaded yet. But the names of the news organizations, the fake check and the phony testimonials look pretty similar to the Google scam pages, too.

 

So don't wait to hear it from hundreds of people who've already been scammed. Barack Obama has nothing to do with this. Scammers who are violating his trademark are going to be the last people on the planet who will be able to help you get government grant money.